Skip to content

Instantly share code, notes, and snippets.

@yosriady
Last active December 8, 2015 08:12
Show Gist options
  • Save yosriady/df6ae6e06b4c553e42ca to your computer and use it in GitHub Desktop.
Save yosriady/df6ae6e06b4c553e42ca to your computer and use it in GitHub Desktop.
  • /login by email & password
  • /register by email & password
  • /passwords/forgot
  • /passwords/reset
  • /oauth/fb

2FA, if user logs in with a new device with a new device ids OR new IP we need to send them a otp via email to validate.

Consider using Kong for authentication layer. We don't write our own crypto, so why should we write our own auth?

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Q: Why separate Local.js (Local Login Credentals) and User.js? Similarly, we seem to have 'Facebook.js' and 'Google.js' models to capture oauth return callback parameters.
A: keep user information separate: authentication, billing, and identity information should all be in separate services with separate databases.

Q: Is there a reason why we're not using Passport.js for authentication?

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Q: Is there no API root at /? I think this is best practice for public APIs - not sure for ours.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Authentication TODO: Endpoint to take in username & password -> output JWT for inclusion in subsequent requests as a 'x-access-token' header. https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens#authenticating-and-creating-a-token

Use https://github.com/auth0/node-jsonwebtoken

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

In Kong, A consumer can have many credentials.

For username+password auth, we can use: https://getkong.org/plugins/basic-authentication/, can provision new credentials too.

For facebook/google auth, we can use https://getkong.org/plugins/jwt/

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

If we roll out our own authserv, we'll need to use http://passportjs.org/docs, and on valid credentials return a JSON web token that all other microservices consume to proceed. We also need to move out the database tables for Local.js, Facebook.js, and Google.js.

Q: What's the relationship between User.js and these credential objects?

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Ask Sai to handle staging/production deployment: https://getkong.org/install/

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Kong is an API proxy/middleware with a configuration RESTful API, lets all calls through this proxy be authenticated beforehand.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Check if ids right now use autoincrement or uuids.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Read https://getkong.org/docs/0.5.x/proxy/

Kong basic concepts:

  • Define APIs to forward requests through Kong to. Kong determines how to proxy an API by either its DNS value or its request_path value. For example, using the request_path method, we can route all our /meal queries to a meal microservice.
  • Plugins can be enabled/disabled individually for each microservices, i.e. maybe only one service is using API Keys
  • Add consumers and provision credentials they can use to access downstream APIs

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

For reset password flows we will need to reprovision credentials on Kong as well.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Q: Are we using Cassandra anywhere currently? Kong uses a Cassandra cluster as primary storage, which we can provision ourselves via AWS or Instaclustr.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

The Kong Server, built on top of NGINX, is the server that will actually process the API requests and execute the configured plugins to provide additional functionalities to the underlying APIs before proxying the request to the final destination.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Drawback of Kong: writing custom functionality must be through Lua plugins. https://getkong.org/docs/0.5.x/plugin-development/

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Right now the API is NOT STATELESS! Authenticated status is kept in req.session.authenticated instead of say, as a JWT passed into the request Header

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Other than EC2, what other AWS services are we using or plan on using? This will greatly influence which Kong or AWS API Gateway we use -> A LOT of services.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

AWS API Gateway has an admin GUI and SDK generation built-in.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

AWS is NOT extensible.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

AWS API Gateway's authentication schemes are limited to AWS credentials. Tokens and oauth can only be forwarded to the backend for the services themselves to handle...

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

Kong seems more suitable for public APIs where there may be a large number of users.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

leaning towards Kong, as AWS API Gateway has far fewer features and is not as extensible.

@yosriady
Copy link
Author

yosriady commented Dec 3, 2015

@yosriady
Copy link
Author

yosriady commented Dec 4, 2015

We should also consider:

  1. Security measure, for example, prevent upstream services from public access
  2. Good UI to mange the gateway
  3. Mapping template to combine responses from multiple micro services so the mobile clients only need to send a single request (instead of multiple requests to render one screen) to achieve low latency and save battery
  4. Backup plan if a micro service is down, API gateway may return cached data.
  5. Should support failed fast (http://martinfowler.com/bliki/CircuitBreaker.html)
  6. Support different types of micro services: AMQP, Lamda...
  7. Service discovery (http://microservices.io/patterns/service-registry.html)

We also need to find a way to validate/test our integration :)

@yosriady
Copy link
Author

yosriady commented Dec 4, 2015

The API Gateway need to handle some requests by simply routing them to the appropriate back-end service. It handles other requests by invoking multiple back-end services and aggregating the results.

@yosriady
Copy link
Author

yosriady commented Dec 4, 2015

There's also https://docs.strongloop.com/display/LGW/StrongLoop+API+Gateway, but it seems to be primary for Node.js

@yosriady
Copy link
Author

yosriady commented Dec 4, 2015

AWS API Gateway fits our requirements better, although I'm still not sure if combining responses from multiple microservices is possible.
AWS API Gateway also has more straightforward testing utilities.

Example microservice: https://auth0.com/blog/2015/09/04/an-introduction-to-microservices-part-1/

@yosriady
Copy link
Author

yosriady commented Dec 4, 2015

@yosriady
Copy link
Author

yosriady commented Dec 4, 2015

Trying out https://tyk.io/

@yosriady
Copy link
Author

yosriady commented Dec 4, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment